Hey everyone, Rob here again. With the release of Windows Server 2008 R2 and Windows 7 we have added new methods of enrolling for certificates: Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES). CEP is a web service that enables users and computers to obtain certificate enrollment policy information. This information includes what types of certificates can be requested and which CAs can issue them. CES is another web service that allows users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the CEP web service, CES enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. CEP/CES also enables cross-forest policy-based certificate enrollment for Windows 7 or Windows Server 2008 R2 clients.

Certificate enrollment without CEP / CES

Prior to Windows 7 and Windows Server 2008 R2 the client requesting a certificate requires network access to a domain controller and the Certification Authority (CA).

Here is a high level description of the process that is used:

image

Figure 1 - legacy certificate enrollment

Step 1. LDAP queries to a domain controller for a list of templates and enterprise CA’s.

The client computer does several LDAP queries to a local domain controller to get the following:

  • Queries for a list of pKICertificateTemplate objects (Certificate Templates) within the forest.
  • Queries for a list of pKIEnrollmentService objects (Enterprise CA’s) within the forest.
  • Queries for a list of msPKI-Enterprise-Oid objects within the forest.

Once all of objects are returned to the client, it determines what Enterprise CA’s are available, and what certificate templates can be issued by each one of them. The client then determines the certificate templates for which it has permissions to enroll or autoenroll. If you are enrolling for certificates via the certificates snap-in it will display this list of available templates to the user.

Step 2. DCOM connection an Enterprise Certification Authority.

Once the client selects the certificate template for which to enroll, a DCOM connection is made to the CA. DCOM connects to the CertSrv Request DCOM interface to enroll for the certificate. The certificate is then handed back to the client.

You may be thinking at this point “how does it work with the Web Enrollment pages?”

Certificate web enrollment behaves in nearly the same way. The main difference is that in Figure 1 the web server running the CertSrv web pages would replace the Client. The actual Client communicates with the web enrollment pages over HTTP, so the web enrollment pages are acting as a proxy, querying Active Directory for a list of templates and converting the client’s HTTP based certificate request into a DCOM-based request that can be sent along to the CA.

As you can see the client has to have direct network connectivity to a domain controller and the Certification Authority to be able to enroll for certificates. With this as a requirement here are a few examples of where enrollment would fail:

  • Internet based clients that need to enroll for a certificate or renew a certificate.
  • Computers in a DMZ network. Typically computers in a DMZ do not have access to internal corporate resources like domain controllers and CA’s because either they are in a workgroup or they belong to a DMZ forest with a one way trust in place.
  • Non-domain joined workstations. They are unable to authenticate to a DC and perform the initial LDAP queries, and thus will never make it to step 2 - the RPC / DCOM call.

Certificate enrollment with CEP / CES

We listened to feedback from customers about the above limitations of enrolling for certificates. Our answer was to create two new web services to proxy the enrollment requests. This allows for CA isolation and removes the requirement that the client be able to contact a domain controller or CA directly.

These new roles are only available on Windows Server 2008 R2 and the only clients that are capable of requesting certificates via CEP and CES is Windows 7 and Windows Server 2008 R2. However the roles can be used with Windows Server 2003, 2008, and 2008R2 Certification Authorities (CA).

image

Figure 2 - CEP / CES certificate enrollment

NOTE: The CEP and CES web services can be installed on the same server or, as Figure 2 shows, installed on two separate servers.

Step 1. Client connects to the CEP web service over HTTPS.

The Windows 7 / Windows Server 2008R2 computer is configured to enroll for certificates against a CEP server. When a CEP server is configured in the environment the client will connect to the CEP server via port 443 (HTTPS), and connect to the CEP web service.

Administrators can configure via local / group policy what CEP server to use at the following locations:

Computer Configuration\Policies\Windows Settings\Security Policy\Public Key Policies\Certificate Services Client – Certificate Enrollment Policy

User Configuration\Policies\Windows Settings\ Security Policy\Public Key Policies\Certificate Services Client – Certificate Enrollment Policy

Step 2. – CEP web service queries LDAP.

The CEP service will send an LDAP query to a domain controller to get the following:

  • Queries for a list of pKICertificateTemplate objects (Certificate Templates) within the forest.
  • Queries for a list of pKIEnrollmentService objects (Enterprise CA’s) within the forest.
  • Queries for a list of msPKI-Enterprise-Oid objects within the forest.

Once all the objects are collected and sent back to the client computer it determines the types of certificate for which it can enroll and which enterprise CAs can issue those certificates. There is a new attribute on the CA’s pKIEnrollmentService object that tells the client computer what the URI’s are for the CES servers in the environment. The attribute name is msPKI-Enrollment-Servers. The attribute is a multi-valued string so there can be multiple URI’s defined if you need to support different authentication methods. More on that later.

Step 3. Client connects to the CES web service over HTTPS.

The client then connects to the CES web service that answers for the Certification Authority that is configured to issue the certificate. The actual CES URI is defined in the msPKI-Enrollment-Servers attribute on the pKIEnrollmentService object for that CA.

Step 4. CES web service impersonates the client security context to request a certificate via DCOM, and then hands the certificate back to the client.

Here are some common questions and answers around CEP / CES:

1. If I have Windows 7 or Windows Server 2008R2 are either CEP and CES required for certificate requests?

If the Windows 7 / 2008R2 computer exists in the same Active Directory forest as the CA, then no. If you do not install the new roles Windows 7/2008R2 can still request certificates in the way that legacy clients do (Figure 1). Just like those legacy clients, however, Windows 7/ 2008R2 clients will need network connectivity to a domain controller and the CA.

2. When would CEP / CES be a good solution for my environment?

CEP / CES should be used in the environment when you require any of the following:

  • Windows 7/2008R2 internet based clients need to be able to enroll for certificates.
  • Windows 7 / 2008R2 based clients in another forest need to enroll for certificates against a 2008R2 CA in a separate forest.
  • There is a requirement that client computers should not be able to access the CA directly over the network, or there is a Firewall between the CA and client computer and your clients are Windows7 /2008R2.

3. Where can the CEP / CES roles be installed?

  • The roles can be installed on the CA, but that would defeats the purpose since the client will still need network connectivity to the CA.
  • The roles can be installed on a domain member. The domain member could be on the internal network, or possibly in a DMZ. Please keep in mind that the CES role will require Kerberos delegation to be configured because it impersonates the user to the CA DCOM interface.
  • The roles can be installed on the same computer or on separate computers. Please keep in mind that the CES role will require Kerberos delegation to be configured because it impersonates the user to the CA DCOM interface.
  • Multiple instances of the CES web service can be installed on the same server. This allows you to increase the availability of the web service in environments with a large number of clients.

I hope that you have been able to learn a little more about these two new roles available on Windows Server 2008R2, and how to determine if you need to install and configure them. If you want more detailed information on CEP and CES you can review the Certificate Enrollment Web Services whitepaper.

Rob “minty” Greene